#!/usr/bin/env bash

# Copyright 2024 Flant JSC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

source /shell_lib.sh

function __config__(){
  cat <<EOF
configVersion: v1
kubernetes:
  - name: d8-kube-dns-cm-wh
    apiVersion: v1
    kind: ConfigMap
    executeHookOnEvent: []
    executeHookOnSynchronization: false
    keepFullObjectsInMemory: false
    nameSelector:
      matchNames:
      - d8-kube-dns
    namespace:
      nameSelector:
        matchNames: ["kube-system"]
    jqFilter: |
      {
        "kube-dns-conf": .data.Corefile,
      }
  - name: d8-cluster-configuration
    apiVersion: v1
    kind: Secret
    group: main
    executeHookOnEvent: []
    executeHookOnSynchronization: false
    keepFullObjectsInMemory: false
    nameSelector:
      matchNames:
      - d8-cluster-configuration
    namespace:
      nameSelector:
        matchNames: ["kube-system"]
    jqFilter: |
      {
        "clusterDomain": ( .data."cluster-configuration.yaml" // "" | @base64d | match("[ ]*clusterDomain:[ ]+(.*)\n").captures[0].string),
      }
  - name: kube-dns-module
    apiVersion: deckhouse.io/v1alpha1
    kind: Module
    group: main
    executeHookOnEvent: []
    executeHookOnSynchronization: false
    keepFullObjectsInMemory: false
    nameSelector:
      matchNames:
      - kube-dns
    jqFilter: |
      {
        "status": .status.status,
      }
kubernetesValidating:
- name: publicdomaintemplate-policy.deckhouse.io
  group: main
  includeSnapshotsFrom: ["d8-kube-dns-cm-wh", "d8-cluster-configuration", "kube-dns-module"]
  rules:
  - apiGroups:   ["deckhouse.io"]
    apiVersions: ["*"]
    operations:  ["CREATE", "UPDATE"]
    resources:   ["moduleconfigs"]
    scope:       "Cluster"
EOF
}


function __main__() {
  mcName=$(context::jq -r '.review.request.object.metadata.name')
  if [[ "$mcName" == "global" ]]; then
    moduleKubeDNS=$(context::jq -r '.snapshots.["kube-dns-module"][]?.filterResult.["status"]')

    if [[ $moduleKubeDNS == "Ready" ]]; then
      kubeDNSConf=$(context::jq -r '.snapshots.["d8-kube-dns-cm-wh"][]?.filterResult.["kube-dns-conf"]')
      dnsDomains=$(echo $kubeDNSConf | grep -oP '(?<=kubernetes )(.*?)(?=ip6.arpa)')
    else
      dnsDomains=$(context::jq -r '.snapshots.["d8-cluster-configuration"][]?.filterResult.["clusterDomain"]')
    fi
    publicDomainTemplate=$(context::jq -r '.review.request.object.spec.settings.modules.publicDomainTemplate' | sed s/%s.//)

    for domain in $dnsDomains; do
      if [[ $publicDomainTemplate == $domain ]]; then
        cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":false, "message":"The publicDomainTemplate \"%s.$publicDomainTemplate\" MUST NOT match the one specified in the clusterDomain/clusterDomainAliases parameters of the resource: [\"$dnsDomains\"]." }
EOF
      return 0
      fi
    done
  fi
cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":true}
EOF
}

hook::run "$@"
